ZAP opening up multiple browser instance
550 views
Skip to first unread message
Rajat Gupta
Apr 29, 2021, 1:23:34 AM4/29/21
to OWASP ZAP User Group
When I am initiating a ZAP from API, it is opening up multiple pop-ups of my browser(Mozilla Firefox) and asking me to save the API response in the my laptop. Is there any way that I can control the opening of the browser from ZAP?
Simon Bennetts
Apr 29, 2021, 4:06:28 AM4/29/21
to OWASP ZAP User Group
"Initiating a ZAP" - you'll need to tell us more than that :)
Are you using the ZAP desktop or running it in daemon mode?
What are you actually doing?
If you are running an active scan then ZAP will launch browsers to test for DOM XSS vulonerabilities, but by default these will be headless so you should not see them.
Cheers,
Simon
Rajat Gupta
Apr 29, 2021, 5:31:07 AM4/29/21
to OWASP ZAP User Group
We are running in daemon mode.
We are doing a active scan and we observed this while running the scan. The pop stays there till the end of the scan and we have to kill all of them manually.
Version:
ZAP : 2.10
Geckodriver: 0.29
Firefox: 88
Simon Bennetts
Apr 29, 2021, 6:07:48 AM4/29/21
to OWASP ZAP User Group
Interesting - I've not seen that before.
Have you changed default browser that ZAP uses?
Is it popping up a load of HTML pages? If not what do the pop-ups contain? Please obfuscate any sensitive information.
Rajat Gupta
Apr 29, 2021, 6:21:40 AM4/29/21
to OWASP ZAP User Group
We haven't changed the browser.
Pop-up contains trying to download the response.
Rajat Gupta
Apr 29, 2021, 7:17:02 AM4/29/21
to OWASP ZAP User Group
More Information:
Our application downloads file at certain end points and when ZAP is performing Active scan and visits those end points, it gives the pop-up to save those files.
thc...@gmail.com
Apr 29, 2021, 7:18:02 AM4/29/21
to zaprox...@googlegroups.com
By default ZAP uses headless browser in the active scan, which would not
show pop ups.
Are you seeing the main window of the browser too?
Best regards.
show pop ups.
Are you seeing the main window of the browser too?
Best regards.
Rajat Gupta
May 4, 2021, 7:53:11 AM5/4/21
to OWASP ZAP User Group
No, just the pop ups.
Rajat Gupta
May 11, 2021, 5:12:05 AM5/11/21
to zaprox...@googlegroups.com
ZAP is opening the firefox during the active scan and prompting us to save the response by opening the windows explorer. I am attaching a screenshot for the same.
--
You received this message because you are subscribed to the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/441bb507-2249-47c8-9e2a-df11fc98b62fn%40googlegroups.com.
Simon Bennetts
May 11, 2021, 5:20:40 AM5/11/21
to OWASP ZAP User Group
I can reproduce this but only when using the non headless browsers.
However I'm using MacOS rather than Windows so this could be platform specific.
I'm playing around with some potential workarounds but so far none of them work all of the time - this is really a browser / selenium issue :/
Just to double check - you havnt set anything in the Options / Rule Configuration for "rules.domxss.browserid" have you?
You can disable the "Cross Site Scripting (DOM Based)" rule but then you wont be checking for DOM XSS vulnerabilities...
Cheers,
Simon
Reply all
Reply to author
Forward
0 new messages